diff options
31 files changed, 393 insertions, 230 deletions
diff --git a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/artifact.dat b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/artifact.dat index cbe9864f1b..6fc63e47d7 100644 --- a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/artifact.dat +++ b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/artifact.dat @@ -3,8 +3,8 @@ aaf@aaf.osaaf.org|aaf|local|/opt/app/osaaf/local||mailto:|org.osaaf.aaf|root|30| aaf-sms@aaf-sms.onap.org|aaf-sms|local|/opt/app/osaaf/local||mailto:|org.onap.aaf-sms|root|30|{'aaf-sms-db.onap', 'aaf-sms.api.simpledemo.onap.org', 'aaf-sms.onap', 'aaf-sms.simpledemo.onap.org'}|aaf_admin@osaaf.org|{'file'} aai@aai.onap.org|aai1|local|/opt/app/osaaf/local||mailto:|org.onap.aai|root|30|{'aai-sparky-be.onap', 'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org'}|aaf_admin@osaaf.org|{'pkcs12'} aai@aai.onap.org|aai2|aaf|/Users/jf2512||mailto:|org.onap.aai|jf2512|60|{'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.onap aai-sparky-be.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org aai1.onap'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -aai@aai.onap.org|aai|local|/opt/app/osaaf/local||mailto:|org.onap.aai|root|60|{'aai-search-data.onap', 'aai-sparky-be.onap', 'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org'}|mmanager@osaaf.org|{'pkcs12'} -aai@aai.onap.org|aai.onap|local|/opt/app/osaaf/local||mailto:|org.onap.aai|root|30|{'aai-sparky-be.onap', 'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org'}|aaf_admin@osaaf.org|{'pkcs12'} +aai@aai.onap.org|aai|local|/opt/app/osaaf/local||mailto:|org.onap.aai|root|60|{'aai-search-data.onap', 'aai-sparky-be.onap', 'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12'} +aai@aai.onap.org|aai.onap|local|/opt/app/osaaf/local||mailto:|org.onap.aai|root|30|{'aai-sparky-be.onap', 'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org'}|aaf_admin@osaaf.org|{'file', 'jks', 'pkcs12'} aai@aai.onap.org|mithrilcsp.sbc.com|local|/tmp/onap||mailto:|org.onap.aai|jg1555|30|{'aai-sparky-be.onap', 'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org'}|aaf_admin@osaaf.org|{'file', 'pkcs12', 'script'} appc@appc.onap.org|appc|local|/opt/app/osaaf/local||mailto:|org.onap.appc|root|60|{'appc.api.simpledemo.onap.org', 'appc.onap', 'appc.simpledemo.onap.org'}|mmanager@osaaf.org|{'pkcs12'} clamp@clamp.onap.org|clamp|local|/opt/app/osaaf/local||mailto:|org.onap.clamp|root|30|{'clamp', 'clamp-onap', 'clamp.api.simpledemo.onap.org', 'clamp.onap'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} diff --git a/kubernetes/aai/components/aai-resources/templates/deployment.yaml b/kubernetes/aai/components/aai-resources/templates/deployment.yaml index 84d3df3927..09e9607de7 100644 --- a/kubernetes/aai/components/aai-resources/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-resources/templates/deployment.yaml @@ -1234,6 +1234,8 @@ spec: value: {{ .Values.global.config.userId | quote }} - name: LOCAL_GROUP_ID value: {{ .Values.global.config.groupId | quote }} + - name: POST_JAVA_OPTS + value: '-Djavax.net.ssl.trustStore=/opt/app/aai-resources/resources/aaf/truststoreONAPall.jks -Djavax.net.ssl.trustStorePassword=changeit' volumeMounts: - mountPath: /etc/localtime name: localtime diff --git a/kubernetes/aai/requirements.yaml b/kubernetes/aai/requirements.yaml index bdab308144..c8970da183 100644 --- a/kubernetes/aai/requirements.yaml +++ b/kubernetes/aai/requirements.yaml @@ -28,6 +28,9 @@ dependencies: # be published independently to a repo (at this point) repository: '@local' condition: global.cassandra.localCluster + - name: certInitializer + version: ~7.x-0 + repository: '@local' - name: repositoryGenerator version: ~7.x-0 repository: '@local' diff --git a/kubernetes/aai/resources/config/haproxy/aai.pem b/kubernetes/aai/resources/config/haproxy/aai.pem deleted file mode 100644 index 6390db10de..0000000000 --- a/kubernetes/aai/resources/config/haproxy/aai.pem +++ /dev/null @@ -1,88 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFKzCCBBOgAwIBAgIILW/fiLbps3kwDQYJKoZIhvcNAQELBQAwRzELMAkGA1UE -BhMCVVMxDTALBgNVBAoMBE9OQVAxDjAMBgNVBAsMBU9TQUFGMRkwFwYDVQQDDBBp -bnRlcm1lZGlhdGVDQV85MB4XDTIwMDMxNzIwMjg1NloXDTIxMDMxNzIwMjg1Nlow -WTEMMAoGA1UEAwwDYWFpMR0wGwYDVQQLDBRhYWlAYWFpLm9uYXAub3JnOkRFVjEO -MAwGA1UECwwFT1NBQUYxDTALBgNVBAoMBE9OQVAxCzAJBgNVBAYTAlVTMIIBIjAN -BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAov4ddmOzRCWAU/sx2Q9kcYZZ0r/x -agqwDBcmlS2OP0MAou/f/xY2gzE2ugXXGGEXG6PCUx4YEHGeRxyezEQ/+c+kSjFe -0FTUa8Z1Ojad3VDsJfjfZ1994NpV99KTrrw1Twq9Ei7dpkypUA8kZxEjg7eM11TU -F4jS6x5NEyVsxih5uJjIF7ErGwimSEKsympcsXezYgG9Z/VPBpZWmYlYl5MWjzT6 -F0FgGfSbajWauMifEPajmvn8ZXn6Lyx0RCI25+BCcOhS6UvYXFX+jE/uOoEbKgwz -11tIdryEFrXiLVfD01uhacx02YCrzj1u53RWiD6bCPyatKo1hQsf+aDkEQIDAQAB -o4ICBzCCAgMwCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBeAwIAYDVR0lAQH/BBYw -FAYIKwYBBQUHAwEGCCsGAQUFBwMCMFQGA1UdIwRNMEuAFIH3mVsQuciM3vNSXupO -aaBDPqzdoTCkLjAsMQ4wDAYDVQQLDAVPU0FBRjENMAsGA1UECgwET05BUDELMAkG -A1UEBhMCVVOCAQcwHQYDVR0OBBYEFP94WTftXhHcz93nBT6jIdMe6h+6MIIBTQYD -VR0RBIIBRDCCAUCBH21hcmsuZC5tYW5hZ2VyQHBlb3BsZS5vc2FhZi5jb22CA2Fh -aYIUYWFpLXNlYXJjaC1kYXRhLm9uYXCCEmFhaS1zcGFya3ktYmUub25hcIIbYWFp -LmFwaS5zaW1wbGVkZW1vLm9uYXAub3JngiVhYWkuZWxhc3RpY3NlYXJjaC5zaW1w -bGVkZW1vLm9uYXAub3JngiVhYWkuZ3JlbWxpbnNlcnZlci5zaW1wbGVkZW1vLm9u -YXAub3Jngh1hYWkuaGJhc2Uuc2ltcGxlZGVtby5vbmFwLm9yZ4IIYWFpLm9uYXCC -JWFhaS5zZWFyY2hzZXJ2aWNlLnNpbXBsZWRlbW8ub25hcC5vcmeCF2FhaS5zaW1w -bGVkZW1vLm9uYXAub3JnghphYWkudWkuc2ltcGxlZGVtby5vbmFwLm9yZzANBgkq -hkiG9w0BAQsFAAOCAQEAVigPPsYd8yscW+U6zpffBc5S6Mg2DQD/gikB0uF//lIq -oa5qTI3yB0wPoRKmxpeEZiJYDkBs3App2sPM2fPb9GGmGncCLkprqTflM2Y4yxX4 -k/a7w8vEwMoCrBgxEdmniAj9TirsISyLqBIXoGT7WtaXBLZarYhJ4P7TplhyWuwe -sV6jxkZLIRLj31ihf32adFIhPZQKxaHbbFnyEylLTdPuZGy3nvdmjajZuomOFF8h -HhDIouSJAtgkuWVsMiX6iR1qG9//6ymnZMvUyDGr8bkZURhMqesAejwP4aKxqDZg -B0uVjapQTJH4ES0M+2PoY9gP8uh0dc3TusOs1QYJiA== ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIEdTCCAl2gAwIBAgIBBzANBgkqhkiG9w0BAQsFADAsMQ4wDAYDVQQLDAVPU0FB -RjENMAsGA1UECgwET05BUDELMAkGA1UEBhMCVVMwHhcNMTgwODE3MTg1MTM3WhcN -MjMwODE3MTg1MTM3WjBHMQswCQYDVQQGEwJVUzENMAsGA1UECgwET05BUDEOMAwG -A1UECwwFT1NBQUYxGTAXBgNVBAMMEGludGVybWVkaWF0ZUNBXzkwggEiMA0GCSqG -SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCv0HHUkba3uNtNI3jPKimUcd6RNwmhSCJL -neMWpnjqp5/A+HCKyNsEaT4y177hNLmCm/aMm1u2JIfikc+8wEqLCSBBPz+P0h+d -o+sZ7U+4oeQizdYYpEdzHJ2SieHHa8vtu80rU3nO2NEIkuYC20HcKSEtl8fFKsk3 -nqlhY+tGfYJPTXcDOQAO40BTcgat3C3uIJHkWJJ4RivunE4LEuRv9QyKgAw7rkJV -v+f7guqpZlXy6dzAkuU7XULWcgo55MkZlssoiErMvEZJad5aWKvRY3g7qUjaQ6wO -15wOAUoRBW96eeZZbytgn8kybcBy++Ue49gPtgm1MF/KlAsp0MD5AgMBAAGjgYYw -gYMwHQYDVR0OBBYEFIH3mVsQuciM3vNSXupOaaBDPqzdMB8GA1UdIwQYMBaAFFNV -M/JL69BRscF4msEoMXvv6u1JMBIGA1UdEwEB/wQIMAYBAf8CAQEwDgYDVR0PAQH/ -BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0B -AQsFAAOCAgEADxNymiCNr2e37iLReoaxKmZvwox0cTiNAaj7iafRzmwIoY3VXO8Q -ix5IYcp4FaQ7fV1jyp/AmaSnyHf6Osl0sx8PxsQkO7ALttxKUrjfbvNSVUA2C/vl -u5m7UVJLIUtFDZBWanzUSmkTsYLHpiANFQKd2c/cU1qXcyzgJVFEFVyyHNkF7Is+ -+pjG9M1hwQHOoTnEuU013P7X1mHek+RXEfhJWwe7UsZnBKZaZKbQZu7hEtqKWYp/ -QsHgnjoLYXsh0WD5rz/mBxdTdDLGpFqWDzDqb8rsYnqBzoowvsasV8X8OSkov0Ht -8Yka0ckFH9yf8j1Cwmbl6ttuonOhky3N/gwLEozuhy7TPcZGVyzevF70kXy7g1CX -kpFGJyEHXoprlNi8FR4I+NFzbDe6a2cFow1JN19AJ9Z5Rk5m7M0mQPaQ4RcikjB3 -aoLsASCJTm1OpOFHfxEKiBW4Lsp3Uc5/Rb9ZNbfLrwqWZRM7buW1e3ekLqntgbky -uKKISHqVJuw/vXHl1jNibEo9+JuQ88VNuAcm7WpGUogeCa2iAlPTckPZei+MwZ8w -tpvxTyYlZEC8DWzY1VC29+W2N5cvh01e2E3Ql08W1zL63dqrgdEZ3VWjzooYi4ep -BmMXTvouW+Flyvcw/0oTcfN0biDIt0mCkZ5CQVjfGL9DTOYteR5hw+k= ------END CERTIFICATE----- -Bag Attributes - friendlyName: aai@aai.onap.org - localKeyID: 54 69 6D 65 20 31 35 38 34 34 37 36 39 33 36 35 31 35 -Key Attributes: <No Attributes> ------BEGIN PRIVATE KEY----- -MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCi/h12Y7NEJYBT -+zHZD2RxhlnSv/FqCrAMFyaVLY4/QwCi79//FjaDMTa6BdcYYRcbo8JTHhgQcZ5H -HJ7MRD/5z6RKMV7QVNRrxnU6Np3dUOwl+N9nX33g2lX30pOuvDVPCr0SLt2mTKlQ -DyRnESODt4zXVNQXiNLrHk0TJWzGKHm4mMgXsSsbCKZIQqzKalyxd7NiAb1n9U8G -llaZiViXkxaPNPoXQWAZ9JtqNZq4yJ8Q9qOa+fxlefovLHREIjbn4EJw6FLpS9hc -Vf6MT+46gRsqDDPXW0h2vIQWteItV8PTW6FpzHTZgKvOPW7ndFaIPpsI/Jq0qjWF -Cx/5oOQRAgMBAAECggEAVYWGSf9IKYKP0gDkh+LmrhZzfPxPnHddJgrjqLSNha4P -YG8CliK+mZmyAGteECGpcUw8g0YwFDi5dtCSldVdyCLmLjO3bxKDnsUz70aHEIAM -WGQ8PE5Diz6kivMHoFCKnB2jVS4YCNECqco4LIg2nT8q/DU7T9nv6YQtptUlPNdY -OmJRXfUfcBSUINqVi/VbEjHtbZqc6dgvaRNEF0CYtqHm7P51BXGa3pH+6drL+U+a -o3T4yHrEsDKUaQzJZoiJneexwN91x42gcyHzg30UZVgCP+9Zt2GQWXqpENNZjGlI -bwzouvBj266ViBNbuu3tar58MASOCnCKGA0Jrs3P3QKBgQD0ENenvzaqNzV0A47x -+RI76DM2eorY2dxh+4txAt1pXlkbMZuWXjs1ysBPYaGHZRitiCFcaSwdP2T0oCET -ojYEU97bJkKlcuw2scAqznSi7U0uSaStwaWzEviGTsQ51MKghRESMfpt3BxZqyi0 -BV+fPeRk3l3xaw1AuZQ/JTn0qwKBgQCq9msPcbRzKvsmfsAVvjKAodzl6EaM+PcF -YLnJLurjCtdyjj1lRaCBg9bRbaRbt9YPg4VA5oMYm2SuwbJQQHjqaeN+SpnV8GGc -nPsZgoSlfZrnLovyGgC3muiA3uSPREZWUlp+IE8qlQ8VztSWkNyxNej4nhxk2UTH -DOE2ZmNyMwKBgFD+yeKkZUrFuZp/l8+bfb6dx2kb77oZSrbFmLfvYHUYV2/b3atg -KDwoxftSBh39odvs4k1dpcMrB6DbBz8RxOVYxAtsPg/T/KoGASTzkOeE4ukqjVkQ -e6Ha+NjxiNM8VT6aCllEdrxAoLPtRju/0MTy8Dm9ReXZRfOl4pm2C+6zAoGAY2D6 -uu+NxaSmeaoUXo9BLCTrE3oCCNBwR2ACnz/2qiQTOTQV3FitBJxusy7Y67fhZwM8 -4o0ch6FM1Yki7iOMJjeHVlJnOkWReEiIbjvAf7KT6O7VytXytMgHf2IR2nYFrQgS -Ml71pfsf2b1xNlTe9OQxmNPQDY9+u3ZxM/4wsKECgYBPvlYMaZNIOLFf7VXzUYGG -rkXMpbLgLvIHvhF+4nsvspPVSqPeWjh2KMee3tMamy93H4R66G/KfoQw02JuZH+N -HbGnnpyLa2jGjY0NkXEo08o2wsqv2QFtT/SFRoDLkah8rwZUwpxIg0akgrwwTslO -rzAazDQvlb0itUxgU4qgqw== ------END PRIVATE KEY----- diff --git a/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg b/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg index b05ffaeaf2..e605e1886f 100644 --- a/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg +++ b/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg @@ -62,7 +62,7 @@ defaults frontend IST_8443 mode http - bind 0.0.0.0:8443 name https ssl crt /etc/ssl/private/aai.pem + bind 0.0.0.0:8443 name https ssl crt /opt/app/osaaf/local/certs/fullchain.pem # log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%[ssl_c_verify],%{+Q}[ssl_c_s_dn],%{+Q}[ssl_c_i_dn]}\ %{+Q}r log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC \ %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r" option httplog diff --git a/kubernetes/aai/resources/config/haproxy/haproxy.cfg b/kubernetes/aai/resources/config/haproxy/haproxy.cfg index ea29c903ba..c8f3670349 100644 --- a/kubernetes/aai/resources/config/haproxy/haproxy.cfg +++ b/kubernetes/aai/resources/config/haproxy/haproxy.cfg @@ -60,7 +60,7 @@ defaults frontend IST_8443 mode http - bind 0.0.0.0:8443 name https ssl crt /etc/ssl/private/aai.pem + bind 0.0.0.0:8443 name https ssl crt /opt/app/osaaf/local/certs/fullchain.pem # log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%[ssl_c_verify],%{+Q}[ssl_c_s_dn],%{+Q}[ssl_c_i_dn]}\ %{+Q}r log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC \ %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r" option httplog diff --git a/kubernetes/aai/templates/configmap.yaml b/kubernetes/aai/templates/configmap.yaml index d2735b4882..b0da359ab1 100644 --- a/kubernetes/aai/templates/configmap.yaml +++ b/kubernetes/aai/templates/configmap.yaml @@ -44,36 +44,6 @@ data: {{ else }} {{ tpl (.Files.Glob "resources/config/haproxy/haproxy.cfg").AsConfig . | indent 2 }} {{ end }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: aai-haproxy-secret - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -type: Opaque -data: -{{ tpl (.Files.Glob "resources/config/haproxy/aai.pem").AsSecrets . | indent 2 }} -# This is a shared key for both resources and traversal ---- -apiVersion: v1 -kind: Secret -metadata: - name: aai-auth-truststore-secret - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -type: Opaque -data: -{{ tpl (.Files.Glob "resources/config/aai/*").AsSecrets . | indent 2 }} - {{ if .Values.global.installSidecarSecurity }} --- apiVersion: v1 diff --git a/kubernetes/aai/templates/deployment.yaml b/kubernetes/aai/templates/deployment.yaml index 83d78238b0..2ca489f2de 100644 --- a/kubernetes/aai/templates/deployment.yaml +++ b/kubernetes/aai/templates/deployment.yaml @@ -39,7 +39,7 @@ spec: annotations: checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} spec: - initContainers: + initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} - command: - /app/ready.py args: @@ -75,9 +75,7 @@ spec: subPath: haproxy.cfg {{ end }} name: haproxy-cfg - - mountPath: /etc/ssl/private/aai.pem - name: aai-pem - subPath: aai.pem + {{- include "common.certInitializer.volumeMount" . | nindent 8 }} ports: - containerPort: {{ .Values.service.internalPort }} # disable liveness probe when breakpoints set in debugger @@ -128,8 +126,6 @@ spec: - name: haproxy-cfg configMap: name: aai-deployment-configmap - - name: aai-pem - secret: - secretName: aai-haproxy-secret + {{ include "common.certInitializer.volumes" . | nindent 8 }} imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/aai/values.yaml b/kubernetes/aai/values.yaml index 86ecb8b355..08a1fb8b17 100644 --- a/kubernetes/aai/values.yaml +++ b/kubernetes/aai/values.yaml @@ -295,6 +295,44 @@ global: # global defaults # since when this is enabled, it prints a lot of information to console enabled: false +################################################################# +# Certificate configuration +################################################################# +certInitializer: + nameOverride: aai-cert-initializer + aafDeployFqi: deployer@people.osaaf.org + aafDeployPass: demo123456! + # aafDeployCredsExternalSecret: some secret + fqdn: "aai" + app_ns: "org.osaaf.aaf" + fqi_namespace: "org.onap.aai" + fqi: "aai@aai.onap.org" + public_fqdn: "aaf.osaaf.org" + cadi_longitude: "0.0" + cadi_latitude: "0.0" + credsPath: /opt/app/osaaf/local + aaf_add_config: | + echo "*** retrieving passwords from AAF" + /opt/app/aaf_config/bin/agent.sh local showpass \ + {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop + export $(grep '^c' {{ .Values.credsPath }}/mycreds.prop | xargs -0) + echo "*** transform AAF certs into pem files" + mkdir -p {{ .Values.credsPath }}/certs + keytool -exportcert -rfc -file {{ .Values.credsPath }}/certs/cacert.pem \ + -keystore {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.trust.jks \ + -alias ca_local_0 \ + -storepass $cadi_truststore_password + openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \ + -nokeys -out {{ .Values.credsPath }}/certs/cert.pem \ + -passin pass:$cadi_keystore_password_p12 \ + -passout pass:$cadi_keystore_password_p12 + echo "*** generating needed file" + cat {{ .Values.credsPath }}/certs/cert.pem \ + {{ .Values.credsPath }}/certs/cacert.pem \ + {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key \ + > {{ .Values.credsPath }}/certs/fullchain.pem; + chown 1001 {{ .Values.credsPath }}/certs/* + # application image dockerhubRepository: registry.hub.docker.com image: aaionap/haproxy:1.4.2 @@ -379,4 +417,3 @@ resources: cpu: 2 memory: 2Gi unlimited: {} - diff --git a/kubernetes/common/cmpv2Certificate/Chart.yaml b/kubernetes/common/cmpv2Certificate/Chart.yaml new file mode 100644 index 0000000000..e50de72605 --- /dev/null +++ b/kubernetes/common/cmpv2Certificate/Chart.yaml @@ -0,0 +1,18 @@ +# Copyright © 2021 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +description: Template used to add cmpv2 certificates to components +name: cmpv2Certificate +version: 7.0.0 diff --git a/kubernetes/common/cmpv2Certificate/requirements.yaml b/kubernetes/common/cmpv2Certificate/requirements.yaml new file mode 100644 index 0000000000..367d879450 --- /dev/null +++ b/kubernetes/common/cmpv2Certificate/requirements.yaml @@ -0,0 +1,21 @@ +# Copyright © 2021 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +dependencies: + - name: common + version: ~7.x-0 + repository: 'file://../common' + - name: repositoryGenerator + version: ~7.x-0 + repository: 'file://../repositoryGenerator' diff --git a/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl b/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl new file mode 100644 index 0000000000..57e6c69b1f --- /dev/null +++ b/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl @@ -0,0 +1,174 @@ +{{/* +# Copyright © 2021 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{/* +In order to use certServiceClient it is needed do define certificates array in target component values.yaml. Each +certificate will be requested from separate init container + +Minimum example of array in target component values.yaml: +certificates: + - mountPath: /var/custom-certs + commonName: common-name + +Full example (other fields are ignored): +certificates: + - mountPath: /var/custom-certs + caName: RA + outputType: JKS + commonName: common-name + dnsNames: + - dns-name-1 + - dns-name-2 + ipAddresses: + - 192.168.0.1 + - 192.168.0.2 + emailAddresses: + - email-1@onap.org + - email-2@onap.org + uris: + - http://uri-1.onap.org + - http://uri-2.onap.org + subject: + organization: Linux-Foundation + country: US + locality: San Francisco + province: California + organizationalUnit: ONAP + +There also need to be some includes used in a target component deployment (indent values may need to be adjusted): + 1. In initContainers section: + {{ include "common.certServiceClient.initContainer" . | indent 6 }} + 2. In volumeMounts section of container using certificates: + {{ include "common.certServiceClient.volumeMounts" . | indent 10 }} + 3. In volumes section: + {{ include "common.certServiceClient.volumes" . | indent 8 }} + +*/}} + +{{- define "common.certServiceClient.initContainer" -}} +{{- $dot := default . .dot -}} +{{- $initRoot := default $dot.Values.cmpv2Certificate .initRoot -}} +{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} +{{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}} +{{- range $index, $certificate := $dot.Values.certificates -}} +{{/*# General certifiacate attributes #*/}} +{{- $commonName := $certificate.commonName -}} +{{/*# SAN's #*/}} +{{- $dnsNames := default (list) $certificate.dnsNames -}} +{{- $ipAddresses := default (list) $certificate.ipAddresses -}} +{{- $uris := default (list) $certificate.uris -}} +{{- $emailAddresses := default (list) $certificate.emailAddresses -}} +{{- $sansList := concat $dnsNames $ipAddresses $uris $emailAddresses -}} +{{- $sans := join "," $sansList }} +{{/*# Subject #*/}} +{{- $organization := $subchartGlobal.certificate.default.subject.organization -}} +{{- $country := $subchartGlobal.certificate.default.subject.country -}} +{{- $locality := $subchartGlobal.certificate.default.subject.locality -}} +{{- $province := $subchartGlobal.certificate.default.subject.province -}} +{{- $orgUnit := $subchartGlobal.certificate.default.subject.organizationalUnit -}} +{{- if $certificate.subject -}} +{{- $organization := $certificate.subject.organization -}} +{{- $country := $certificate.subject.country -}} +{{- $locality := $certificate.subject.locality -}} +{{- $province := $certificate.subject.province -}} +{{- $orgUnit := $certificate.subject.organizationalUnit -}} +{{- end -}} +{{- $caName := default $subchartGlobal.platform.certServiceClient.envVariables.caName $certificate.caName -}} +{{- $outputType := default $subchartGlobal.platform.certServiceClient.envVariables.outputType $certificate.outputType -}} +{{- $requestUrl := $subchartGlobal.platform.certServiceClient.envVariables.requestURL -}} +{{- $certPath := $subchartGlobal.platform.certServiceClient.envVariables.certPath -}} +{{- $requestTimeout := $subchartGlobal.platform.certServiceClient.envVariables.requestTimeout -}} +{{- $certificatesSecretMountPath := $subchartGlobal.platform.certServiceClient.secret.mountPath -}} +{{- $keystorePath := $subchartGlobal.platform.certServiceClient.envVariables.keystorePath -}} +{{- $keystorePassword := $subchartGlobal.platform.certServiceClient.envVariables.keystorePassword -}} +{{- $truststorePath := $subchartGlobal.platform.certServiceClient.envVariables.truststorePath -}} +{{- $truststorePassword := $subchartGlobal.platform.certServiceClient.envVariables.truststorePassword -}} +- name: certs-init-{{ $index }} + image: {{ include "repositoryGenerator.image.certserviceclient" $dot }} + imagePullPolicy: {{ $dot.Values.global.pullPolicy | default $dot.Values.pullPolicy }} + env: + - name: REQUEST_URL + value: {{ $requestUrl | quote }} + - name: REQUEST_TIMEOUT + value: {{ $requestTimeout | quote }} + - name: OUTPUT_PATH + value: {{ $certPath | quote }} + - name: OUTPUT_TYPE + value: {{ $outputType | quote }} + - name: CA_NAME + value: {{ $caName | quote }} + - name: COMMON_NAME + value: {{ $commonName | quote }} + - name: SANS + value: {{ $sans | quote }} + - name: ORGANIZATION + value: {{ $organization | quote }} + - name: ORGANIZATION_UNIT + value: {{ $orgUnit | quote }} + - name: LOCATION + value: {{ $locality | quote }} + - name: STATE + value: {{ $province | quote }} + - name: COUNTRY + value: {{ $country | quote }} + - name: KEYSTORE_PATH + value: {{ $keystorePath | quote }} + - name: KEYSTORE_PASSWORD + value: {{ $keystorePassword | quote }} + - name: TRUSTSTORE_PATH + value: {{ $truststorePath | quote }} + - name: TRUSTSTORE_PASSWORD + value: {{ $truststorePassword | quote }} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: {{ $certPath }} + name: cmpv2-certs-volume-{{ $index }} + - mountPath: {{ $certificatesSecretMountPath }} + name: certservice-tls-volume +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "common.certServiceClient.volumes" -}} +{{- $dot := default . .dot -}} +{{- $initRoot := default $dot.Values.cmpv2Certificate .initRoot -}} +{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} +{{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}} +{{- $certificatesSecretName := $subchartGlobal.platform.certServiceClient.secret.name -}} +- name: certservice-tls-volume + secret: + secretName: {{ $certificatesSecretName }} +{{ range $index, $certificate := $dot.Values.certificates -}} +- name: cmpv2-certs-volume-{{ $index }} + emptyDir: + medium: Memory +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "common.certServiceClient.volumeMounts" -}} +{{- $dot := default . .dot -}} +{{- $initRoot := default $dot.Values.cmpv2Certificate .initRoot -}} +{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} +{{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}} +{{- range $index, $certificate := $dot.Values.certificates -}} +{{- $mountPath := $certificate.mountPath -}} +- mountPath: {{ $mountPath }} + name: cmpv2-certs-volume-{{ $index }} +{{ end -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/common/cmpv2Certificate/values.yaml b/kubernetes/common/cmpv2Certificate/values.yaml new file mode 100644 index 0000000000..b7531431c4 --- /dev/null +++ b/kubernetes/common/cmpv2Certificate/values.yaml @@ -0,0 +1,48 @@ +# Copyright © 2021 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration default values that can be inherited by +# all subcharts. +################################################################# +global: + # Enabling CMPv2 + cmpv2Enabled: true + CMPv2CertManagerIntegration: false + + certificate: + default: + subject: + organization: "Linux-Foundation" + country: "US" + locality: "San-Francisco" + province: "California" + organizationalUnit: "ONAP" + + platform: + certServiceClient: + secret: + name: oom-cert-service-client-tls-secret + mountPath: /etc/onap/oom/certservice/certs/ + envVariables: + certPath: "/var/custom-certs" + # Client configuration related + caName: "RA" + requestURL: "https://oom-cert-service:8443/v1/certificate/" + requestTimeout: "30000" + keystorePath: "/etc/onap/oom/certservice/certs/certServiceClient-keystore.jks" + outputType: "P12" + keystorePassword: "secret" + truststorePath: "/etc/onap/oom/certservice/certs/truststore.jks" + truststorePassword: "secret" diff --git a/kubernetes/common/cmpv2Config/values.yaml b/kubernetes/common/cmpv2Config/values.yaml index 19b87b1afa..b6ee064302 100644 --- a/kubernetes/common/cmpv2Config/values.yaml +++ b/kubernetes/common/cmpv2Config/values.yaml @@ -1,4 +1,4 @@ -# Copyright © 2020 Nokia +# Copyright © 2020-2021 Nokia # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,7 +14,7 @@ global: platform: certServiceClient: - image: onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.3.2 + image: onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.3.3 secretName: oom-cert-service-client-tls-secret envVariables: # Certificate related @@ -29,5 +29,5 @@ global: keystorePassword: "secret" truststorePassword: "secret" certPostProcessor: - image: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.3.2 + image: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.3.3 diff --git a/kubernetes/common/etcd/templates/statefulset.yaml b/kubernetes/common/etcd/templates/statefulset.yaml index f5592bd252..e39b8c4ca2 100644 --- a/kubernetes/common/etcd/templates/statefulset.yaml +++ b/kubernetes/common/etcd/templates/statefulset.yaml @@ -133,6 +133,10 @@ spec: # we should wait for other pods to be up before trying to join # otherwise we got "no such host" errors when trying to resolve other members for i in $(seq 0 $((${INITIAL_CLUSTER_SIZE} - 1))); do + if [ "${SET_NAME}-${i}" == "${HOSTNAME}" ]; then + echo "Skipping self-checking" + continue + fi while true; do echo "Waiting for ${SET_NAME}-${i}.${SERVICE_NAME} to come up" ping -W 1 -c 1 ${SET_NAME}-${i}.${SERVICE_NAME} > /dev/null && break diff --git a/kubernetes/common/repositoryGenerator/templates/_repository.tpl b/kubernetes/common/repositoryGenerator/templates/_repository.tpl index ba22bfbd60..a6b434f43a 100644 --- a/kubernetes/common/repositoryGenerator/templates/_repository.tpl +++ b/kubernetes/common/repositoryGenerator/templates/_repository.tpl @@ -82,6 +82,10 @@ {{- include "repositoryGenerator.image._helper" (merge (dict "image" "curlImage") .) }} {{- end -}} +{{- define "repositoryGenerator.image.certserviceclient" -}} + {{- include "repositoryGenerator.image._helper" (merge (dict "image" "certServiceClientImage") .) }} +{{- end -}} + {{- define "repositoryGenerator.image.envsubst" -}} {{- include "repositoryGenerator.image._helper" (merge (dict "image" "envsubstImage") .) }} {{- end -}} diff --git a/kubernetes/common/repositoryGenerator/values.yaml b/kubernetes/common/repositoryGenerator/values.yaml index def7381e46..559675689f 100644 --- a/kubernetes/common/repositoryGenerator/values.yaml +++ b/kubernetes/common/repositoryGenerator/values.yaml @@ -1,4 +1,5 @@ # Copyright © 2020 Orange +# Copyright © 2021 Nokia # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,6 +23,7 @@ global: # common global images busyboxImage: busybox:1.32 curlImage: curlimages/curl:7.69.1 + certServiceClientImage: onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.3.3 envsubstImage: dibi/envsubst:1 # there's only latest image for htpasswd htpasswdImage: xmartlabs/htpasswd:latest @@ -53,6 +55,7 @@ global: imageRepoMapping: busyboxImage: dockerHubRepository curlImage: dockerHubRepository + certServiceClientImage: repository envsubstImage: dockerHubRepository htpasswdImage: dockerHubRepository jreImage: repository diff --git a/kubernetes/dcaemod/components/dcaemod-onboarding-api/values.yaml b/kubernetes/dcaemod/components/dcaemod-onboarding-api/values.yaml index 13ea930aa5..a9c0029f41 100644 --- a/kubernetes/dcaemod/components/dcaemod-onboarding-api/values.yaml +++ b/kubernetes/dcaemod/components/dcaemod-onboarding-api/values.yaml @@ -92,7 +92,7 @@ postgres: mountInitPath: dcaemod # application image -image: onap/org.onap.dcaegen2.platform.mod.onboardingapi:2.12.3 +image: onap/org.onap.dcaegen2.platform.mod.onboardingapi:2.12.4 # Resource Limit flavor -By Default using small flavor: small diff --git a/kubernetes/dcaemod/components/dcaemod-runtime-api/values.yaml b/kubernetes/dcaemod/components/dcaemod-runtime-api/values.yaml index b9f8943e04..03b5c83a97 100644 --- a/kubernetes/dcaemod/components/dcaemod-runtime-api/values.yaml +++ b/kubernetes/dcaemod/components/dcaemod-runtime-api/values.yaml @@ -69,7 +69,7 @@ readiness: # Should have a proper readiness endpoint or script # application image -image: onap/org.onap.dcaegen2.platform.mod.runtime-web:1.2.0 +image: onap/org.onap.dcaegen2.platform.mod.runtime-web:1.2.1 # Resource Limit flavor -By Default using small flavor: small diff --git a/kubernetes/dmaap/components/dmaap-dr-node/templates/statefulset.yaml b/kubernetes/dmaap/components/dmaap-dr-node/templates/statefulset.yaml index f653a02cff..40a4d7db93 100644 --- a/kubernetes/dmaap/components/dmaap-dr-node/templates/statefulset.yaml +++ b/kubernetes/dmaap/components/dmaap-dr-node/templates/statefulset.yaml @@ -87,7 +87,7 @@ spec: {{- end -}} {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | nindent 10 }} - {{- end -}} + {{- end }} # Filebeat sidecar container - name: {{ include "common.name" . }}-filebeat-onap image: {{ include "repositoryGenerator.image.logging" . }} diff --git a/kubernetes/dmaap/components/dmaap-dr-prov/templates/deployment.yaml b/kubernetes/dmaap/components/dmaap-dr-prov/templates/deployment.yaml index a43073e8e2..5c94116bac 100644 --- a/kubernetes/dmaap/components/dmaap-dr-prov/templates/deployment.yaml +++ b/kubernetes/dmaap/components/dmaap-dr-prov/templates/deployment.yaml @@ -105,7 +105,7 @@ spec: {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | indent 10 }} - {{- end -}} + {{- end }} # Filebeat sidecar container - name: {{ include "common.name" . }}-filebeat-onap image: {{ include "repositoryGenerator.image.logging" . }} diff --git a/kubernetes/dmaap/components/message-router/components/message-router-kafka/templates/service.yaml b/kubernetes/dmaap/components/message-router/components/message-router-kafka/templates/service.yaml index b9472444a3..88c83981bb 100644 --- a/kubernetes/dmaap/components/message-router/components/message-router-kafka/templates/service.yaml +++ b/kubernetes/dmaap/components/message-router/components/message-router-kafka/templates/service.yaml @@ -32,7 +32,7 @@ spec: type: {{ $root.Values.service.type }} externalTrafficPolicy: Local selector: - statefulset.kubernetes.io/pod-name: {{ include "common.release" $root }}-{{ $root.Values.service.name }}-{{ $i }} + statefulset.kubernetes.io/pod-name: {{ include "common.release" $root }}-{{ $root.Values.service.name }}-{{ $i }} ports: - port: {{ $root.Values.service.externalPort }} targetPort: {{ $root.Values.service.externalPort }} diff --git a/kubernetes/dmaap/components/message-router/components/message-router-kafka/values.yaml b/kubernetes/dmaap/components/message-router/components/message-router-kafka/values.yaml index 03f8afa182..6c3cbc385a 100644 --- a/kubernetes/dmaap/components/message-router/components/message-router-kafka/values.yaml +++ b/kubernetes/dmaap/components/message-router/components/message-router-kafka/values.yaml @@ -159,7 +159,7 @@ persistence: service: type: NodePort name: message-router-kafka - portName: message-router-kafka + portName: tcp-message-router-kafka internalPort: 9092 internalSSLPort: 9093 externalPort: 9091 diff --git a/kubernetes/dmaap/components/message-router/components/message-router-zookeeper/templates/statefulset.yaml b/kubernetes/dmaap/components/message-router/components/message-router-zookeeper/templates/statefulset.yaml index 52eff32242..5ea5bc53b7 100644 --- a/kubernetes/dmaap/components/message-router/components/message-router-zookeeper/templates/statefulset.yaml +++ b/kubernetes/dmaap/components/message-router/components/message-router-zookeeper/templates/statefulset.yaml @@ -163,6 +163,8 @@ spec: value: "{{ .Values.zkConfig.clientPort }}" - name: KAFKA_OPTS value: "{{ .Values.zkConfig.kafkaOpts }}" + - name: ZOOKEEPER_QUORUM_LISTEN_ON_ALL_IPS + value: "true" - name: ZOOKEEPER_SERVER_ID valueFrom: fieldRef: diff --git a/kubernetes/dmaap/components/message-router/components/message-router-zookeeper/values.yaml b/kubernetes/dmaap/components/message-router/components/message-router-zookeeper/values.yaml index 2da42a4604..64c29db935 100644 --- a/kubernetes/dmaap/components/message-router/components/message-router-zookeeper/values.yaml +++ b/kubernetes/dmaap/components/message-router/components/message-router-zookeeper/values.yaml @@ -122,11 +122,11 @@ service: type: ClusterIP name: message-router-zookeeper portName: message-router-zookeeper - clientPortName: client + clientPortName: tcp-client clientPort: 2181 - serverPortName: server + serverPortName: tcp-server serverPort: 2888 - leaderElectionPortName: leader-election + leaderElectionPortName: tcp-leader leaderElectionPort: 3888 ingress: diff --git a/kubernetes/onap/values.yaml b/kubernetes/onap/values.yaml index 5376940938..b401d66c3a 100755 --- a/kubernetes/onap/values.yaml +++ b/kubernetes/onap/values.yaml @@ -1,6 +1,6 @@ # Copyright © 2019 Amdocs, Bell Canada # Copyright (c) 2020 Nordix Foundation, Modifications -# Modifications Copyright © 2020 Nokia +# Modifications Copyright © 2020-2021 Nokia # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -202,11 +202,12 @@ global: CMPv2CertManagerIntegration: false platform: certServiceClient: - image: onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.3.2 + image: onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.3.3 secret: name: oom-cert-service-client-tls-secret mountPath: /etc/onap/oom/certservice/certs/ envVariables: + certPath: "/var/custom-certs" # Certificate related cmpv2Organization: "Linux-Foundation" cmpv2OrganizationalUnit: "ONAP" diff --git a/kubernetes/platform/components/oom-cert-service/values.yaml b/kubernetes/platform/components/oom-cert-service/values.yaml index 8f31124e41..537b025fb0 100644 --- a/kubernetes/platform/components/oom-cert-service/values.yaml +++ b/kubernetes/platform/components/oom-cert-service/values.yaml @@ -1,4 +1,4 @@ -# Copyright © 2020, Nokia +# Copyright © 2020-2021, Nokia # Modifications Copyright © 2020, Nordix Foundation, Orange # Modifications Copyright © 2020 Nokia # @@ -38,7 +38,7 @@ certificateGenerationImage: onap/integration-java11:7.2.0 # Deployment configuration repository: "nexus3.onap.org:10001" -image: onap/org.onap.oom.platform.cert-service.oom-certservice-api:2.3.2 +image: onap/org.onap.oom.platform.cert-service.oom-certservice-api:2.3.3 pullPolicy: Always replicaCount: 1 diff --git a/kubernetes/sdnc/requirements.yaml b/kubernetes/sdnc/requirements.yaml index 57c165c4c0..f58ecb16be 100644 --- a/kubernetes/sdnc/requirements.yaml +++ b/kubernetes/sdnc/requirements.yaml @@ -1,5 +1,6 @@ # Copyright © 2017 Amdocs, Bell Canada, # Copyright © 2020 highstreet technologies GmbH +# Copyright © 2021 Nokia # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -20,6 +21,9 @@ dependencies: - name: certInitializer version: ~7.x-0 repository: '@local' + - name: cmpv2Certificate + version: ~7.x-0 + repository: '@local' - name: logConfiguration version: ~7.x-0 repository: '@local' diff --git a/kubernetes/sdnc/resources/config/conf/mountpoint-registrar.properties b/kubernetes/sdnc/resources/config/conf/mountpoint-registrar.properties index a21ac0441c..57a16bd488 100644 --- a/kubernetes/sdnc/resources/config/conf/mountpoint-registrar.properties +++ b/kubernetes/sdnc/resources/config/conf/mountpoint-registrar.properties @@ -12,6 +12,13 @@ sdnrPasswd=${ODL_ADMIN_PASSWORD} faultConsumerClass=org.onap.ccsdk.features.sdnr.wt.mountpointregistrar.impl.DMaaPFaultVESMsgConsumer TransportType=HTTPNOAUTH host=message-router.{{.Release.Namespace}}:{{.Values.config.dmaapPort | default "3904"}} +{{- if .Values.config.sdnr.dmaapProxy.enabled }} +{{- if .Values.config.sdnr.dmaapProxy.usepwd }} +jersey.config.client.proxy.username=${DMAAP_HTTP_PROXY_USERNAME} +jersey.config.client.proxy.password=${DMAAP_HTTP_PROXY_PASSWORD} +{{- end }} +jersey.config.client.proxy.uri={{ .Values.config.sdnr.dmaapProxy.url }} +{{- end }} topic=unauthenticated.SEC_FAULT_OUTPUT contenttype=application/json group=myG @@ -23,6 +30,13 @@ limit=10000 pnfRegConsumerClass=org.onap.ccsdk.features.sdnr.wt.mountpointregistrar.impl.DMaaPPNFRegVESMsgConsumer TransportType=HTTPNOAUTH host=message-router.{{.Release.Namespace}}:{{.Values.config.dmaapPort | default "3904"}} +{{- if .Values.config.sdnr.dmaapProxy.enabled }} +{{- if .Values.config.sdnr.dmaapProxy.usepwd }} +jersey.config.client.proxy.username=${DMAAP_HTTP_PROXY_USERNAME} +jersey.config.client.proxy.password=${DMAAP_HTTP_PROXY_PASSWORD} +{{- end }} +jersey.config.client.proxy.uri={{ .Values.config.sdnr.dmaapProxy.url }} +{{- end }} topic=unauthenticated.VES_PNFREG_OUTPUT contenttype=application/json group=myG diff --git a/kubernetes/sdnc/templates/statefulset.yaml b/kubernetes/sdnc/templates/statefulset.yaml index 63b56f87a9..2158fefe19 100644 --- a/kubernetes/sdnc/templates/statefulset.yaml +++ b/kubernetes/sdnc/templates/statefulset.yaml @@ -1,6 +1,7 @@ {{/* # Copyright © 2020 Samsung Electronics # Copyright © 2017 Amdocs, Bell Canada +# Copyright © 2021 Nokia # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -66,6 +67,13 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "odl-creds" "key" "login") | indent 10 }} - name: ODL_ADMIN_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "odl-creds" "key" "password") | indent 10 }} + {{ if and .Values.config.sdnr.dmaapProxy.enabled .Values.config.sdnr.dmaapProxy.usepwd }} + - name: DMAAP_HTTP_PROXY_USERNAME + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "dmaap-proxy-creds" "key" "login") | indent 10 }} + - name: DMAAP_HTTP_PROXY_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "dmaap-proxy-creds" "key" "password") | indent 10 }} + {{- end }} + volumeMounts: - mountPath: /config-input @@ -98,50 +106,8 @@ spec: name: {{ include "common.name" . }}-readiness {{ end -}} {{ include "common.certInitializer.initContainer" . | indent 6 }} - - {{ if .Values.global.cmpv2Enabled }} - - name: certs-init - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.global.platform.certServiceClient.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - env: - - name: REQUEST_URL - value: {{ .Values.global.platform.certServiceClient.envVariables.requestURL }} - - name: REQUEST_TIMEOUT - value: "30000" - - name: OUTPUT_PATH - value: {{ .Values.global.platform.certServiceClient.envVariables.cert_path }} - - name: CA_NAME - value: {{ .Values.global.platform.certServiceClient.envVariables.caName }} - - name: COMMON_NAME - value: {{ .Values.global.platform.certServiceClient.envVariables.common_name }} - - name: ORGANIZATION - value: {{ .Values.global.platform.certServiceClient.envVariables.cmpv2Organization }} - - name: ORGANIZATION_UNIT - value: {{ .Values.global.platform.certServiceClient.envVariables.cmpv2OrganizationalUnit }} - - name: LOCATION - value: {{ .Values.global.platform.certServiceClient.envVariables.cmpv2Location }} - - name: STATE - value: {{ .Values.global.platform.certServiceClient.envVariables.cmpv2State }} - - name: COUNTRY - value: {{ .Values.global.platform.certServiceClient.envVariables.cmpv2Country }} - - name: KEYSTORE_PATH - value: {{ .Values.global.platform.certServiceClient.envVariables.keystorePath }} - - name: KEYSTORE_PASSWORD - value: {{ .Values.global.platform.certServiceClient.envVariables.keystorePassword }} - - name: TRUSTSTORE_PATH - value: {{ .Values.global.platform.certServiceClient.envVariables.truststorePath }} - - name: TRUSTSTORE_PASSWORD - value: {{ .Values.global.platform.certServiceClient.envVariables.truststorePassword }} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: {{ .Values.global.platform.certServiceClient.envVariables.cert_path }} - name: certs - - mountPath: {{ .Values.global.platform.certServiceClient.secret.mountPath }} - name: certservice-tls-volume - {{ end }} - - - name: {{ include "common.name" . }}-init-files +{{ include "common.certServiceClient.initContainer" . | indent 6 }} + - name: {{ include "common.name" . }}-chown image: {{ include "repositoryGenerator.image.busybox" . }} command: - sh @@ -150,7 +116,7 @@ spec: - | mkdir {{ .Values.persistence.mdsalPath }}/daexim mkdir {{ .Values.persistence.mdsalPath }}/journal - mkdir {{ .Values.persistence.mdsalPath }}/snapshots + mkdir {{ .Values.persistence.mdsalPath }}/snapshots chown -R {{ .Values.config.odlUid }}:{{ .Values.config.odlGid}} {{ .Values.persistence.mdsalPath }} {{- if .Values.global.aafEnabled }} chown -R {{ .Values.config.odlUid }}:{{ .Values.config.odlGid}} {{ .Values.certInitializer.credsPath }} @@ -236,6 +202,7 @@ spec: volumeMounts: {{ include "common.certInitializer.volumeMount" . | indent 10 }} +{{ include "common.certServiceClient.volumeMounts" . | indent 10 }} - mountPath: /etc/localtime name: localtime readOnly: true @@ -294,10 +261,6 @@ spec: - mountPath: {{ .Values.config.odl.etcDir }}/mountpoint-state-provider.properties name: properties subPath: mountpoint-state-provider.properties - {{ if .Values.global.cmpv2Enabled }} - - mountPath: {{ .Values.global.platform.certServiceClient.envVariables.cert_path }} - name: certs - {{- end }} resources: {{ include "common.resources" . | indent 12 }} {{- if .Values.nodeSelector }} @@ -348,19 +311,12 @@ spec: - name: properties emptyDir: medium: Memory - {{ if .Values.global.cmpv2Enabled }} - - name: certs - emptyDir: - medium: Memory - - name: certservice-tls-volume - secret: - secretName: {{ .Values.global.platform.certServiceClient.secret.name }} - {{- end }} {{ if not .Values.persistence.enabled }} - name: {{ include "common.fullname" . }}-data emptyDir: {} {{ else }} {{ include "common.certInitializer.volumes" . | nindent 8 }} +{{ include "common.certServiceClient.volumes" . | nindent 8 }} volumeClaimTemplates: - metadata: name: {{ include "common.fullname" . }}-data diff --git a/kubernetes/sdnc/values.yaml b/kubernetes/sdnc/values.yaml index faf6594e2a..c02d5592e6 100644 --- a/kubernetes/sdnc/values.yaml +++ b/kubernetes/sdnc/values.yaml @@ -1,5 +1,6 @@ # Copyright © 2020 Samsung Electronics, highstreet technologies GmbH # Copyright © 2017 Amdocs, Bell Canada +# Copyright © 2021 Nokia # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -29,33 +30,8 @@ global: service: mariadb-galera internalPort: 3306 nameOverride: mariadb-galera - service: mariadb-galera - # Enabling CMPv2 - cmpv2Enabled: true + # Enabling CMPv2 with CertManager CMPv2CertManagerIntegration: false - platform: - certServiceClient: - image: onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.3.2 - secret: - name: oom-cert-service-client-tls-secret - mountPath: /etc/onap/oom/certservice/certs/ - envVariables: - # Certificate related - cert_path: /var/custom-certs - cmpv2Organization: "Linux-Foundation" - cmpv2OrganizationalUnit: "ONAP" - cmpv2Location: "San-Francisco" - cmpv2Country: "US" - # Client configuration related - caName: "RA" - common_name: "sdnc.simpledemo.onap.org" - requestURL: "https://oom-cert-service:8443/v1/certificate/" - requestTimeout: "30000" - keystorePath: "/etc/onap/oom/certservice/certs/certServiceClient-keystore.jks" - outputType: "P12" - keystorePassword: "secret" - truststorePath: "/etc/onap/oom/certservice/certs/truststore.jks" - truststorePassword: "secret" ################################################################# # Secrets metaconfig @@ -97,6 +73,14 @@ secrets: password: '{{ .Values.config.odlPassword }}' # For now this is left hardcoded but should be revisited in a future passwordPolicy: required + - uid: dmaap-proxy-creds + name: &dmaapProxyCredsSecretName '{{ include "common.release" . }}-sdnc-dmaap-proxy-creds' + type: basicAuth + externalSecret: '{{ .Values.config.dmaapProxyCredsExternalSecret }}' + login: '{{ .Values.config.sdnr.dmaapProxy.user }}' + password: '{{ .Values.config.sdnr.dmaapProxy.password }}' + # For now this is left hardcoded but should be revisited in a future + passwordPolicy: required - uid: netbox-apikey type: password externalSecret: '{{ .Values.config.netboxApikeyExternalSecret }}' @@ -141,7 +125,8 @@ secrets: # Certificates ################################################################# certificates: - - commonName: sdnc.simpledemo.onap.org + - mountPath: /var/custom-certs + commonName: sdnc.simpledemo.onap.org dnsNames: - sdnc.simpledemo.onap.org p12Keystore: @@ -250,6 +235,15 @@ config: sdnrdbTrustAllCerts: true mountpointRegistrarEnabled: false mountpointStateProviderEnabled: false + # enable and set dmaap-proxy for mountpointRegistrar + dmaapProxy: + enabled: false + usepwd: true + user: addUserHere + password: addPasswordHere + url: addProxyUrlHere + + |